Qi Xiong,Ying-Chang Liang,Kwok Hung Li,Yi Gong,Shiying Han

DOI: https://doi.org/10.1109/tifs.2016.2516825

IF: 7.231

2016-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The pilot spoofing attack is one kind of active eavesdropping activities conducted by a malicious user during the channel training phase. By transmitting the identical pilot (training) signals as those of the legal users, such an attack is able to manipulate the channel estimation outcome, which may result in a larger channel rate for the adversary but a smaller channel rate for the legitimate receiver. With the intention of detecting the pilot spoofing attack and minimizing its damages, we design a two-way training-based scheme. The effective detector exploits the intrusive component created by the adversary, followed by a secure beamforming-assisted data transmission. In addition to the solid detection performance, this scheme is also capable of obtaining the estimations of both legitimate and illegitimate channels, which allows the users to achieve secure communication in the presence of pilot spoofing attack. The detection probability is evaluated based on the derived test threshold at a given requirement on the probability of false alarming. The achievable secrecy rate is utilized to measure the security level of the data transmission. Our analysis shows that even without any pre-assumed knowledge of eavesdropper, the proposed scheme is still able to achieve the maximal secrecy rate in certain cases. Numerical results are provided to show that our scheme could achieve a high detection probability as well as secure transmission.

Qi Xiong,Ying-Chang Liang,Kwok Hung Li,Yi Gong

DOI: https://doi.org/10.1109/icc.2015.7248599

2015-01-01

Abstract:In a time-division duplex (TDD) based multi-input single-output (MISO) system, the channel state information (CSI) can be obtained during the channel estimation phase in which the receiver transmits the pilot symbols to the transmitter. This scheme may suffer from a so-called pilot spoofing attack, i.e., an adversary may send identical pilot signals as those of the legitimate receiver to spoof the transmitter. The resultant channel estimate may then contain the CSI of both legitimate and illegitimate receivers, and if such estimated channel is used for transmit beamforming, the information dedicated for legitimate receiver will leak to the illegitimate receiver. In this paper, we study the detection and defending strategies for such pilot spoofing attack. A two-way training based scheme is proposed. The durations of the training periods are also designed to optimize the secrecy rate. Finally, numerical results are presented to show the performance of our proposed method.

Hui-Ming Wang,Ke-Wen Huang,Theodoros A. Tsiftsis

DOI: https://doi.org/10.48550/arXiv.1801.04104

2018-01-12

Abstract:Transmitter-side channel state information (CSI) of the legitimate destination plays a critical role in physical layer secure transmissions. However, channel training procedure is vulnerable to the pilot spoofing attack (PSA) or pilot jamming attack (PJA) by an active eavesdropper (Eve), which inevitably results in severe private information leakage. In this paper, we propose a random channel training (RCT) based secure downlink transmission framework for a time division duplex (TDD) multiple antennas base station (BS). In the proposed RCT scheme, multiple orthogonal pilot sequences (PSs) are simultaneously allocated to the legitimate user (LU), and the LU randomly selects one PS from the assigned PS set to transmit. Under either the PSA or PJA, we provide the detailed steps for the BS to identify the PS transmitted by the LU, and to simultaneously estimate channels of the LU and Eve. The probability that the BS makes an incorrect decision on the PS of the LU is analytically investigated. Finally, closed-form secure beamforming (SB) vectors are designed and optimized to enhance the secrecy rates during the downlink transmissions. Numerical results show that the secrecy performance is greatly improved compared to the conventional channel training scheme wherein only one PS is assigned to the LU.

Information Theory

Xiaoming Liu,Bin Li,Hongbin Chen,Zhuo Sun,Ying-Chang Liang,Chenglin Zhao

DOI: https://doi.org/10.1109/lcomm.2018.2889491

IF: 3.5529

2019-01-01

IEEE Communications Letters

Abstract:This letter proposes a novel pilot spoofing attack detection scheme by introducing an auxiliary node as a trusted user, which also participates in the uplink training process and assists to detect pilot spoofing in multiple-input single-output systems. To do so, we design an efficient three-phase uplink training method, with which a malicious user can be reliably detected. In contrast to the existing methods involving two-stage uplink–downlink training, our method relies only on the uplink training stage. Meanwhile, our new scheme detects spoofing attack without altering pilot signals, which is also beyond the competence of the existing methods. Numerical results show that our method improves the detection probability significantly.

Qi Xiong,Ying-Chang Liang,Kwok Hung Li,Yi Gong

DOI: https://doi.org/10.1109/ICASSP.2015.7178270

2015-01-01

Abstract:We study a spoofing attack happened in the physical layer of a multiple-antenna system, where an adversary tries to spoof the transmitter by sending the identical pilot (training) signal as that of a legitimate receiver in the uplink channel estimation phase. This attack, named as pilot spoofing attack, could lead to a secrecy information leakage to the adversary and information rate decrease at the legitimate receiver. Due to the serious results caused by the pilot spoofing attack, we propose an energy-ratio detector (ERD) to protect the legitimate components. The ERD makes the decision by exploiting the asymmetry of the received signal strength (RSS) between the transmitter and the legitimate receiver when the system is under the pilot spoofing attack. Numerical results are presented to illustrate the effectiveness of our proposed detector.

Ke-Wen Huang,Hui-Ming Wang,Yongpeng Wu,Robert Schober

DOI: https://doi.org/10.1109/TWC.2018.2859949

IF: 10.4

2018-01-01

IEEE Transactions on Wireless Communications

Abstract:In this paper, we investigate the design of a pilot spoofing attack (PSA) carried out by multiple single-antenna eavesdroppers (Eves) in a downlink time-division duplex system, where a multiple antenna base station (BS) transmits confidential information to a single-antenna legitimate user. During the uplink channel training phase, multiple Eves collaboratively impair the channel acquisition of th...

Shiguo Wang,Qingyong Deng,Xuewen Fu,Peng Li

DOI: https://doi.org/10.1016/j.phycom.2023.102215

IF: 2.379

2023-11-06

Physical Communication

Abstract:For large-scale MIMO systems, upon the investigation of pilot spoofing on system security capacity, a novel detection scheme is proposed and the contaminated channel state information (CSI) is corrected. Specifically, a two-parts pilot sequence is exploited to implement channel estimation. The first one is conventional, and the other is partially randomized on the top of the first one. Leveraging the difference between the statistical characteristic of the estimated CSIs in two parts, a pilot spoofing detector is established based on the principle of the maximum likelihood ratio. Meanwhile, the contaminated CSI is purified with the obtained information in pilot spoofing detection, and thus system security capacity can be improved greatly. Finally, simulation results are presented to evaluate the superior performance of the proposed scheme.

telecommunications,engineering, electrical & electronic

Delong Liu,Wei Wang,Yang Huang

DOI: https://doi.org/10.1049/ell2.70074

2024-10-30

Electronics Letters

Abstract:We present a pilot spoofing attack detection scheme by using the difference of two different estimators, that is, the least square estimator and the minimum mean square error estimator, without requiring any priori of eavesdroppers. In addition, we propose a data‐aided channel estimation scheme to eliminate the PSA effect. Pilot spoofing attack (PSA) is an active eavesdropping attack in massive multiple‐input multiple‐output systems, where the eavesdroppers transmit the same pilot sequence as the legitimate user does to the base station to confuse the normal channel estimation during the uplink channel training phase. With the contaminated channel estimations, more information will be leaked to eavesdroppers in the downlink transmission phase. However, it is a challenging issue to detect the PSA attack due to the similarity of the received signals and the variations of the wireless channels. Here, a new PSA detection scheme by using the difference of two different estimators is presented, that is, the least square estimator and the minimum mean square error estimator, without requiring any priori of eavesdroppers. Following that, a new data‐aided channel estimation scheme is proposed to eliminate the PSA effect. Simulation results demonstrate that the proposed PSA detection scheme outperforms the conventional energy detector, and more accurate legitimate channel estimation and higher sum secrecy rates can be obtained with the proposed scheme.

engineering, electrical & electronic

Qi Xiong,Ying-Chang Liang,Kwok Hung Li,Yi Gong

DOI: https://doi.org/10.1109/tifs.2015.2392564

IF: 7.231

2015-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The pilot spoofing attack is one kind of active eavesdropping conducted by a malicious user during the channel estimation phase of the legitimate transmission. In this attack, an intelligent adversary spoofs the transmitter on the estimation of channel state information (CSI) by sending the identical pilot signal as the legitimate receiver, in order to obtain a larger information rate in the data transmission phase. The pilot spoofing attack could also drastically weaken the strength of the received signal at the legitimate receiver if the adversary utilizes large enough power. Motivated by the serious problems the pilot spoofing attack could cause, we propose an efficient detector, named energy ratio detector (ERD), by exploring the asymmetry of received signal power levels at the transmitter and the legitimate receiver when there exists a pilot spoofing attack. Our analysis shows that by setting the ratio of received signal power levels at the transmitter and the legitimate receiver as the test statistic, the detecting threshold is derived without using the knowledge of the CSI of the legitimate channel as well as the illegitimate channel. Furthermore, we study the performance of the proposed ERD in various special cases in order to obtain useful insights. Numerical results are presented to further demonstrate the performance of our proposed ERD.

Yunlong Mao,Ying He,Yuan Zhang,Jingyu Hua,Sheng Zhong

DOI: https://doi.org/10.1109/tmc.2019.2937081

IF: 6.075

2020-01-01

IEEE Transactions on Mobile Computing

Abstract:Multi-User MIMO (MU-MIMO) has attracted much attention due to its significant advantage of increasing the utilization ratio of wireless channels. However, Frequency-Division Duplex (FDD) systems are vulnerable to eavesdropping, since the explicit CSI feedback can be manipulated. In this paper, we show that Time-Division Duplex (TDD) systems are insecure as well. In particular, we show that it is possible to eavesdrop on other users' downloads by tuning training sequences. In order to defend MU-MIMO against such threats, we propose a secure CSI estimation scheme, which can provide correct estimates of CSI when adversarial users are in presence. We prove that our scheme is secure against training sequence based eavesdropping attack. We have implemented our scheme for TDD MU-MIMO systems and performed a series of experiments. Results demonstrate that our secure CSI estimation scheme is highly effective in protecting TDD MIMO networks against eavesdropping attack. Furthermore, we extend our scheme to support massive MU-MIMO networks, with a carefully redesigned uplink protocol and optimized power allocation to achieve higher spectral efficiency. To be more practical, we also take mismatch channel issue into our consideration. An enhancement scheme is proposed and we show that our scheme with enhancement is secure and correct under mismatch channel.

Fengyi Bai,Pinyi Ren,Qinghe Du,Li Sun

DOI: https://doi.org/10.1109/pimrc.2016.7794707

2016-01-01

Abstract:Pilot spoofing attack can deteriorate the transmission performance of the legitimate system and facilitate eavesdropping concurrently. Some detection methods of pilot attack have been proposed, while we consider the problem of channel estimation under pilot spoofing attack. In this paper, a hybrid channel estimation strategy using random Binary Phase Shift Keying (BPSK) is proposed. Specifically, a random BPSK sequence is transmitted by the legal user once the attack is detected. In this manner, the base station detects the sequence and re-estimates the legal channel with both contaminated pilot and assistant sequence. We evaluate the estimation performance in three cases according to different responses of the malicious user. Simulation results demonstrate that the proposed strategy can effectively estimate the legitimate channel against pilot attack.

Jiejiao Tian,Ying-Chang Liang,Xin Kang,Gang Yang

DOI: https://doi.org/10.1109/ICCChina.2017.8330342

2017-01-01

Abstract:In this paper, we propose a new type of attack from the perspective of the eavesdropper. The full-duplex eavesdropper acts as a relay in the uplink channel estimation phase forwarding the received pilot signal from legitimate receiver to confound the legitimate transmitter. Compared to pilot spoofing attack, which needs the eavesdropper to know the pilot signal accurately, the pilot relay attack only needs the eavesdropper to know the frame structure of the legitimate transceiver pair. In this paper, we study the optimal amplify-and-forward strategy of the eavesdropper so that its eavesdropping behavior is harder to be detected by maximizing the transmission rate from the legitimate transmitter to the legitimate receiver under the constraint that the eavesdropping rate is larger than the legitimate transmission rate. Furthermore, we analyze the performance of the pilot relay attack when Eve is at different locations, the simulations have shown that different strategies should be adopted at different locations.

Weile Zhang,Hai Lin,Ruonan Zhang

DOI: https://doi.org/10.1109/tcomm.2018.2791535

IF: 6.166

2018-01-01

IEEE Transactions on Communications

Abstract:Pilot contamination attack is an important activity of active eavesdropping conducted by a malicious user during channel training phase. This attack is potentially harmful to the physical layer security. In this paper, motivated by the fact that frequency asynchronism could introduce divergence of the transmitted pilot signals between intended user and attacker, we propose a new uncoordinated frequency shift (UFS) scheme for detecting pilot contamination attack in multiple antenna system. During the reverse training phase of the UFS scheme, the legitimate user Bob deliberately introduces multiple random frequency shifts in the publicly known pilot sequence. Since eavesdropper Eve has no knowledge of these random frequency shifts, it is almost impossible for her to pretend exactly like Bob. This provides the opportunity to detect the presence of Eve. An attack detection algorithm is then developed based on source enumeration method. Both the asymptotic performance analysis and numerical results are provided to verify the proposed detection scheme. The proposed scheme is also enhanced based on noise power estimation to cope with attacks from a multi-antenna Eve. Furthermore, the proposed UFS scheme is extended by introducing general parameterized phase shifts. It is demonstrated that the proposed UFS scheme can achieve comparable detection performance as the existing superimposed random sequence based scheme, without sacrifice of legitimate channel estimation performance.

Purui Wang,Zuyao Ni,Chunxiao Jiang,Linling Kuang,Wei Feng

DOI: https://doi.org/10.1109/gcwkshps45667.2019.9024580

2019-01-01

Abstract:In the multi-antenna satellite communication system, beamforming and artificial noise are usually adopted to enhance physical layer security. However, due to the long distance between the satellite and the terrestrial terminal, the coverage of the main lobe in the satellite downlink is so large that the eavesdropper can get into the coverage easily despite of using spot beams. When the eavesdropper is close to the legitimate user, the difference between the main channel and the wiretap channel is small, which makes the secrecy capacity decrease rapidly. This paper proposes a novel scheme to solve this problem by using two different beams which work on different frequencies to transmit the same signal to the legitimate user. This dual-beam dual- frequency scheme can enlarge the difference between the desired channel and the wiretap channel. Then, if we add some artificial noise set the proper beamforming vectors, the secrecy capacity will remain high when the eavesdropper is in the small zone near the legitimate user. In order to derive the artificial noise and the beamforming vectors, we transform the problem into a semidefinite problem and use CVX tools to solve the problem. Simulation results prove that this scheme can achieve high secrecy capacity even when the eavesdropper is very close to the legitimate user.

Lingyun Chai,Lin Bai,Tong Bai,Jia Shi,Arumugam Nallanathan

DOI: https://doi.org/10.1109/jiot.2023.3264679

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:As for the time-division communications system, the pilot spoofing attack technique is maliciously utilized by active eavesdroppers during the uplink training phase, for contaminating the legitimate channel estimation and thus altering the beamforming design towards the eavesdroppers. Nonorthogonal multiple access (NOMA) has been recognized as the key technology for the envisioned Internet of Things (IoT) networks. In order to prevent the aforementioned information leakage in NOMA-IoT systems, we develop a novel two-way training scheme to detect pilot spoofing attack and a robust secure beamforming design for providing secure transmission, by utilizing the emerging technique of reconfigurable intelligent surface (RIS), which is turned off during the uplink training phase and turned on during the downlink training phase, respectively. Considering that the perfect channel state information related to the eavesdropping channel is typically difficult to obtain, a secrecy outage probability constrained robust secure beamforming design is proposed to maximize the achievable sum secrecy rate of the legitimate users, by alternatively optimizing the active beamforming and RIS passive beamforming, while satisfying the requirements of the NOMA transmission. Elaborate simulation results reveal that the proposed detection method attains a super pilot spoofing attack detection performance and the proposed robust secure beamforming design is capable of efficiently enhancing the achievable sum secrecy rate, compared with various benchmark schemes.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yongpeng Wu,Robert Schober,Derrick Wing Kwan Ng,Chengshan Xiao,Giuseppe Caire

DOI: https://doi.org/10.1109/tit.2016.2569118

IF: 2.5

2016-01-01

IEEE Transactions on Information Theory

Abstract:In this paper, we investigate secure and reliable transmission strategies for multi-cell multi-user massive multiple-input multiple-output systems with a multi-antenna active eavesdropper. We consider a time-division duplex system where uplink training is required and an active eavesdropper can attack the training phase to cause pilot contamination at the transmitter. This forces the precoder used in the subsequent downlink transmission phase to implicitly beamform toward the eavesdropper, thus increasing its received signal power. Assuming matched filter precoding and artificial noise (AN) generation at the transmitter, we derive an asymptotic achievable secrecy rate when the number of transmit antennas approaches infinity. For the case of a single-antenna active eavesdropper, we obtain a closed-form expression for the optimal power allocation policy for the transmit signal and the AN, and find the minimum transmit power required to ensure reliable secure communication. Furthermore, we show that the transmit antenna correlation diversity of the intended users and the eavesdropper can be exploited in order to improve the secrecy rate. In fact, under certain orthogonality conditions of the channel covariance matrices, the secrecy rate loss introduced by the eavesdropper can be completely mitigated.

Dongyang Xu,Pinyi Ren,James A. Ritcey,Hongliang He,Qian Xu

DOI: https://doi.org/10.1109/WCNC.2018.8377015

2018-01-01

Abstract:Conventional time-division duplex (TDD) orthogonal frequency division multiplexing (TDD-OFDM) system is vulnerable to the pilot spoofing attack as it mainly relies on employing the deterministic pilot to capture the channel state information (CSI). To solve the abovementioned issue, we in this paper propose an independent component analysis (ICA) based channel identification and estimation (ICA-CIE) mechanism which uses randomized pilot to paralyze the pilot spoofing attack. Specifically, we first convert the pilot spooling attack to the pilot jamming attack by exploiting pilot randomization. Then, an eigenstructure-based detector (EID) is proposed to realize efficient pilot jamming attack detection. In particular, on one hand, Least Square (LS) method is adopted if no jamming attack is detected. On the other hand, if jamming attack is detected, we further design a channel-separation oriented joint approximate diagonalization of eigen-matrices (CS-JADE) algorithm for channel estimation and identification. Therein, an optimization problem is first formulated to optimize the fourth-order statistical information of the observation data, after which a pilot signal reconstruction scheme is further developed to help identify true sub-channels from the optimization output. Simulation results demonstrate that our proposed ICA-CIE mechanism can achieve highly-accurate channel estimation for the legitimate transceiver pair only by using 6 OFDM symbols within the coherence time. Moreover, we also observe that the estimation accuracy of our proposed mechanism is immune to Eve's transmit power, which further verifies superiority of our proposed mechanism.

Die Hu,Wei Zhang,Lianghua He,Jun Wu

DOI: https://doi.org/10.1109/lwc.2018.2859329

IF: 6.3

2019-01-01

IEEE Wireless Communications Letters

Abstract:In this letter, we investigate secure transmission for multi-cell multi-user massive multiple-input multiple-output systems with an active eavesdropper. During the uplink (UL) training, the eavesdropper can attack the training phase to cause pilot contamination. To resist such pilot contamination attack (PCA), we propose a secure transmission that does not require statistical information of the channels. In the proposed transmission strategy, we first detect PCA by a simple method. If the PCA is not detected, we then estimate the UL data of the users by a semi-blind method based on an asynchronous protocol. After that, we perform the data-aided channel estimation and design the corresponding precoder. Simulation results demonstrate that the proposed transmission can effectively resist the PCA even when the PCA detection method fails.

Weiyang Xu,Ruiguang Wang,Yuan Zhang,Hien Quoc Ngo,Wei Xiang

2024-04-11

Abstract:The channel hardening effect is less pronounced in the cell-free massive multiple-input multiple-output (mMIMO) system compared to its cellular counterpart, making it necessary to estimate the downlink effective channel gains to ensure decent performance. However, the downlink training inadvertently creates an opportunity for adversarial nodes to launch pilot spoofing attacks (PSAs). First, we demonstrate that adversarial distributed access points (APs) can severely degrade the achievable downlink rate. They achieve this by estimating their channels to users in the uplink training phase and then precoding and sending the same pilot sequences as those used by legitimate APs during the downlink training phase. Then, the impact of the downlink PSA is investigated by rigorously deriving a closed-form expression of the per-user achievable downlink rate. By employing the min-max criterion to optimize the power allocation coefficients, the maximum per-user achievable rate of downlink transmission is minimized from the perspective of adversarial APs. As an alternative to the downlink PSA, adversarial APs may opt to precode random interference during the downlink data transmission phase in order to disrupt legitimate communications. In this scenario, the achievable downlink rate is derived, and then power optimization algorithms are also developed. We present numerical results to showcase the detrimental impact of the downlink PSA and compare the effects of these two types of attacks.

Information Theory